b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n\n\n        DHS' Progress in Disaster Recovery \n\n         Planning for Information Systems\n\n\n\n\n\nOIG-09-60                                 April 2009\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 25028\n\n\n\n\n                                      April 16, 2009\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the strengths and weaknesses of DHS\xe2\x80\x99 disaster recovery planning\nfor information systems. It is based on interviews with employees and officials of\nrelevant agencies and institutions, direct observations, and reviews of applicable\ndocuments.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                             Richard L. Skinner \n\n                                             Inspector General \n\n\x0cTable of Contents/Abbreviations \n\n\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2 \n\n\nResults of Audit ...................................................................................................................4 \n\n\n    DHS Has Made Progress in Establishing a Disaster Recovery Program, but \n\n        Improvements Are Needed ....................................................................................4 \n\n    Recommendations...........................................................................................................7 \n\n    Management Comments and OIG Analysis ...................................................................7 \n\n\n    Contingency Planning for Critical DHS Systems Needs Improvement .........................8 \n\n    Recommendation ............................................................................................................9 \n\n    Management Comments and OIG Analysis ...................................................................9 \n\n\n    DHS\xe2\x80\x99 Guidance for Disaster Recovery Related Documentation Needs Improvement 10 \n\n    Recommendations.........................................................................................................11\n\n    Management Comments and OIG Analysis .................................................................11 \n\n\n    DHS Needs to Reassess the Risks Associated with DC1 and DC2..............................12 \n\n    Recommendations.........................................................................................................15\n\n    Management Comments and OIG Analysis .................................................................15 \n\n\nAppendices\n   Appendix A:               Purpose, Scope, and Methodology .....................................................16 \n\n   Appendix B:               Management Comments to the Draft Report .....................................18 \n\n   Appendix C:               DHS Data Centers Migration Schedule to DC1 and DC2..................20 \n\n   Appendix D:               Critical DHS Systems Approved to Operate in \n\n                             FY 2006 and FY 2007 ........................................................................21 \n\n   Appendix E:               Major Contributors to this Report ......................................................22 \n\n   Appendix F:               Report Distribution.............................................................................23 \n\n\x0cTable of Contents/Abbreviations \n\n\nAbbreviations\n  CIO                  Chief Information Officer\n  CBP                  United States Customs and Border Protection\n  DC1                  DHS Data Center in Mississippi\n  DC2                  DHS Data Center in Virginia\n  DHS                  Department of Homeland Security\n  DHS 4300A Handbook   DHS 4300A Sensitive Systems Handbook\n  FEMA                 Federal Emergency Management Agency\n  FIPS Pub             Federal Information Processing Standards Publication\n  FY                   Fiscal Year\n  ICE                  United States Immigration and Customs Enforcement\n  IT                   Information Technology\n  NIST                 National Institute of Standards and Technology\n  OIG                  Office of Inspector General\n  OMB                  Office of Management and Budget\n  SSC                  Stennis Space Center\n  SP                   Special Publication\n  TSA                  Transportation Security Administration\n  USCG                 United States Coast Guard\n  USCIS                United States Citizenship and Immigration Services\n  USSS                 United States Secret Service\n  US-VISIT             United States Visitor and Immigrant Status Indicator\n                       Technology\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                  In May 2005, we reported on deficiencies in the Department of\n                  Homeland Security\xe2\x80\x99s disaster recovery planning for information\n                  systems. We recommended that the department allocate the funds\n                  needed to implement an enterprise-wide disaster recovery program\n                  for mission critical systems, require that disaster recovery\n                  capabilities be included in the implementation of new systems, and\n                  ensure that disaster recovery-related documentation for mission\n                  critical systems be completed and conform to current government\n                  standards.\n\n                  Generally, the department has made progress in establishing an\n                  enterprise-wide disaster recovery program. Specifically, the\n                  department has allocated funds for this program since fiscal\n                  year 2005, and by August 2008 had established two new data\n                  centers. Further, the department now includes contingency\n                  planning as part of the system authorization process and it has\n                  issued guidance to ensure that contingency planning\n                  documentation conforms to government standards.\n\n                  While the department has strengthened its disaster recovery\n                  planning, more work is needed. For example, the two new data\n                  centers need interconnecting circuits and redundant hardware to\n                  establish an active-active processing capability. Additionally, not\n                  all critical departmental information systems have an alternate\n                  processing site. Further, disaster recovery guidance does not\n                  conform fully to government standards. Finally, risk assessments\n                  of the data centers are outdated.\n\n                  We are recommending that the Chief Information Officer\n                  implement the necessary circuits and redundant resources at the\n                  new data centers; ensure that critical departmental information\n                  systems have complete contingency planning documentation; and\n                  conform departmental contingency planning guidance to\n                  government standards. Additionally, the department should\n                  reassess data center risks whenever significant changes to the\n                  system configuration have been made. The department\xe2\x80\x99s response\n                  is summarized and evaluated in the body of this report and\n                  included, in its entirety, as Appendix B.\n\n\n            DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                          Page 1\n\x0cBackground\n                        The Department of Homeland Security (DHS) relies on a variety of\n                        critical information technology (IT) systems and technologies to\n                        support its wide-ranging missions. DHS\xe2\x80\x99 IT systems also allow\n                        employees to communicate internally and for the American public\n                        to communicate with the department. Following a service\n                        disruption or disaster, DHS must be able to recover its IT systems\n                        quickly and effectively in order to continue performing these\n                        mission essential functions.\n\n                        In May 2005, we reported on deficiencies in DHS\xe2\x80\x99 ability to\n                        restore its IT systems.1 Specifically, we reported that DHS\xe2\x80\x99 IT\n                        disaster recovery sites were not prepared to prevent service\n                        disruptions from potentially hindering the department\xe2\x80\x99s ability to\n                        perform mission essential functions. Further, we reported that the\n                        inability to restore DHS\xe2\x80\x99 critical IT systems following a disaster\n                        could have negative effects on the performance of mission\n                        essential functions. We concluded that these potential effects on\n                        DHS\xe2\x80\x99 mission include a disruption in passenger screening\n                        operations, delays in processing grants in response to a disaster,\n                        and delays in the flow of goods across United States borders.\n\n                        In the May 2005 report, we recommended that the DHS Chief\n                        Information Officer (CIO):\n\n                             \xef\xbf\xbd\t Allocate the funds needed to implement an enterprise-wide\n                                disaster recovery program for mission critical systems,\n                             \xef\xbf\xbd\t Require disaster recovery capabilities to be included in the\n                                planning and implementation of new systems, and\n                             \xef\xbf\xbd\t Require that disaster recovery-related documentation for\n                                mission critical systems be completed and conform to\n                                current government standards.\n\n                        In April 2006, DHS issued action plans to address these\n                        recommendations.2 Specifically, the CIO would:\n\n                        \xef\xbf\xbd\t Establish and maintain two operational data centers with an\n                           \xe2\x80\x9cactive-active\xe2\x80\x9d processing capability. Using the active-active\n                           approach, each data center will be able to serve as a backup for\n                           each other,\n\n1\n Disaster Recovery Planning for DHS Information Systems Needs Improvement, OIG-05-22, May 2005.\n2\n Compliance Follow-up to Audit Report \xe2\x80\x93 Disaster Recovery Planning for DHS Information Systems\nNeeds Improvement, OIG-05-22, April 6, 2006.\n\n\n                  DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                                Page 2\n\x0c      \xef\xbf\xbd\t Close 16 existing data centers and move the processing into\n         these two new data centers. DHS IT staff would use the\n         active-active processing capability of these two data centers to\n         ensure each mission critical system has a complete disaster\n         recovery capability, and\n      \xef\xbf\xbd\t Require a completed and tested IT contingency plan prior to\n         authorizing a system to operate.\n\n      Additionally, in the first quarter of Fiscal Year (FY) 2006, the CIO\n      provided DHS components with guidance for the development of\n      contingency plans. This guidance, in the form of a template, will\n      ensure that departmental IT contingency planning documentation\n      conformed to government standards.\n\n\n\n\nDHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                              Page 3\n\x0cResults of Audit\n     DHS Has Made Progress in Establishing a Disaster Recovery\n     Program, but Improvements Are Needed\n          DHS has taken steps to correct disaster recovery deficiencies identified in\n          our May 2005 report by allocating funds and establishing two new data\n          centers. However, additional work is needed to create the planned\n          active-active processing capability. Specifically, additional\n          telecommunications circuits, redundant equipment, and sufficient\n          computer room floor space are necessary to ensure that these two data\n          centers can be backup sites for each other.\n\n                  Progress in Funding and Establishing Data Centers\n\n                  DHS addressed our recommendation to allocate the funds needed\n                  to implement an enterprise-wide disaster recovery program for\n                  mission critical systems. Specifically, DHS has allocated funding\n                  and established two new data centers as part of its strategy to\n                  mitigate disaster recovery deficiencies. Funds for the first data\n                  center, called DC1, have been appropriated every year since\n                  FY 2005. Additionally, in FY 2008, DHS awarded a multi-year\n                  contract not to exceed $391 million to Computer Sciences\n                  Corporation to manage DC1.\n\n                  DC1, also called the National Center for Critical Information\n                  Processing and Storage, is a government owned facility at the\n                  John C. Stennis Space Center (SSC) in Mississippi. DHS\n                  components that have moved systems to DC1 include United\n                  States Customs and Border Protection (CBP), United States\n                  Immigration and Customs Enforcement (ICE), National Protection\n                  and Programs Directorate, and DHS\xe2\x80\x99 Management Directorate.\n\n                  In FY 2008 DHS awarded a multi-year contract not to exceed\n                  $820 million to Electronic Data Systems to operate the second data\n                  center, called DC2. DC2 is a contractor owned and operated\n                  facility in Clarksville, VA. While construction of DC2 continues,\n                  the Transportation Security Administration (TSA) and the United\n                  States Visitor and Immigrant Status Indicator\n                  Technology (US-VISIT) office have started transferring IT assets\n                  to this facility.\n\n\n\n\n            DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                          Page 4\n\x0c                          Lack of Connectivity between Data Centers Hinders Recovery\n                          Capabilities\n\n                          DHS has not established the necessary connectivity to ensure that\n                          DC1 and DC2 can provide backup capabilities for each other.\n                          Specifically, the necessary telecommunications equipment and\n                          circuits are not in place to transmit data from one site to the other\n                          for backup purposes. Without the necessary connectivity between\n                          the two data centers, DHS might not be able to backup and restore\n                          mission critical systems within users\xe2\x80\x99 required time frames.\n\n                          Redundant Equipment\n\n                          DHS has not installed redundant hardware and software at DC1\n                          and DC2 for use in recovering from a systems outage. For\n                          example, while resources for Management Directorate systems are\n                          installed and operating at DC1, duplicate resources are not\n                          installed at DC2. Specifically, DHS has eliminated its Internet\n                          gateways from locations in Missouri and Georgia and consolidated\n                          them into one gateway at DC1. However, DHS has not installed\n                          redundant equipment at DC2 for the Internet gateway. As a result,\n                          if DC1 is not accessible, some DHS users may not have access to\n                          the Internet.\n\n                          The need for redundant equipment at DC2 is especially critical due\n                          to the single points of failure that exist at DC1. For example, the\n                          electrical power for DC1 comes from one sub-station and is routed\n                          through one switch room. Similarly, the telecommunications\n                          circuits for DC1 come from one building at SSC and are routed\n                          through one telecommunications closet. These power and\n                          telecommunications single points of failure increase the risk that\n                          DHS systems at DC1 may not be accessible following an outage.\n                          According to CIO staff, DHS is in the process of procuring the\n                          necessary circuits.\n\n                          Insufficient Computer Room Space\n\n                          The amount of usable computer room space at DC1 is not\n                          sufficient to handle the projected workload. Specifically, DHS\n                          plans to migrate processing from 11 data centers to DC1.3 While\n                          DHS has already moved processing from 5 of these data centers to\n                          DC1, migrating 4 additional data centers will exceed the available\n\n\n3\n    See Appendix C: DHS Data Centers Migration Schedule to DC1 and DC2.\n\n\n                    DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                                  Page 5\n\x0c                          computer room floor space at DC1 by 2,096 square feet.4 See\n                          Table 1.\n\n                                  Table 1: DC1 Computer Room Space Allocation\n                                                                         Secure\n                                                                         Storage             Total\n                                                     Computer           Computer           Computer\n                                                    Room Space         Room Space         Room Space\n                                                   (Square Feet)      (Square Feet)      (Square Feet)\n                      Space already in use at\n                      DC1                             11,738               816              12,554\n                      Migration of United\n                      States Coast Guard\n                      (USCG) data center\n                      from Kearneysville, WV          12,000*              320*             12,320\n                      Migration of Federal\n                      Emergency\n                      Management Agency\n                      (FEMA) data center from\n                      Denton, TX                       1,120*              520*              1,640\n                      Migration of United\n                      States Secret Service\n                      (USSS) data center from\n                      Washington DC                   12,600*            1,110*             13,710\n                      Migration of TSA data\n                      center from Annapolis,\n                      MD                               4,500*               0*               4,500\n\n                     Total required computer\n                     room space at DC1               41,958             2,766               44,724\n                     Total available computer\n                     room space at DC1               38,521             4,107               42,628\n                     Total known\n                     excess/(shortfall) in\n                     computer room space\n                     at DC1                          (3,437)            1,341               (2,096)\n                     *Data center computer room floor space in FY 2004.\n\n                          Additionally, migration of processing from the remaining 2 data\n                          centers as well as the installation of redundant equipment to\n                          provide the active-active processing with DC2 would further\n                          increase the shortfall of computer room floor space at DC1. DC1\n                          and DC2 can not be active-active data centers if there is\n                          insufficient computer room floor space to house the redundant\n                          equipment needed to support disaster recovery operations.\n\n\n\n4\n DHS has on-going asset discovery efforts to update the 2004 floor space requirements. Similar discovery\nefforts, where undertaken, have revealed less floor space usage than the 2004 data call indicated.\n\n\n                   DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                                 Page 6\n\x0c       According to Office of Management and Budget (OMB) Circular\n       A-130, Management of Federal Information Resources:\n\n            \xe2\x80\x9cInevitably, there will be service interruptions. Agency plans\n            should assure that there is an ability to recover and provide\n            service sufficient to meet the minimal needs of users of the\n            system.\xe2\x80\x9d\n\n       Additionally, according to DHS 4300A Sensitive Systems\n       Handbook (DHS 4300A Handbook):\n\n            \xe2\x80\x9cCare must be taken to ensure systems are designed with no\n            single point of failure.\xe2\x80\x9d\n\nRecommendations\n       We recommend that the DHS CIO:\n\n       Recommendation 1: Provide the necessary resources to ensure\n       that DC1 and DC2 have the connectivity, equipment, and computer\n       room floor space to act as alternate processing sites for each other.\n\n       Recommendation 2: Provide redundancy to eliminate reported\n       power and telecommunications single points of failure at DC1.\n\nManagement Comments and OIG Analysis\n       The DHS Acting CIO concurred with both recommendations.\n       These recommendations will be considered resolved but open\n       pending verification of all planned actions.\n\n\n\n\n DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                               Page 7\n\x0c         Contingency Planning for Critical DHS Systems Needs\n         Improvement\n                  DHS requires that disaster recovery capabilities be included in the\n                  planning and implementation of new systems. Specifically, before\n                  authorizing information systems to operate, DHS requires a completed and\n                  tested IT contingency plan for system authorization. However, in\n                  FY 2006 and FY 2007 DHS authorized the operation of critical systems\n                  that did not have an alternate processing site and critical systems that had\n                  incomplete contingency planning documents.5\n\n                  We reviewed contingency planning information for systems whose\n                  security categorization in each security objective of confidentiality,\n                  integrity, and availability was categorized as high.6 During FY 2006 and\n                  FY 2007, DHS authorized 27 critical systems to operate, of which 8 (30%)\n                  did not have an identified alternate processing site. See Table 2.\n\n                          Table 2: Critical DHS Information Systems without an Identified\n                                             Alternate Processing Site\n\n                            DHS                           System Name                       Alternate\n                         Component                                                          Site (Y/N)\n                        Management        DHS Interactive                                        N\n                        Directorate\n                        Management        Sunflower Asset Management System                     N\n                        Directorate\n                        Management        DHS Online                                            N\n                        Directorate\n                        Management        Stennis Data Center LAN                               N\n                        Directorate\n                        USCG              Shipboard Command and Control System                  N\n                        US-VISIT          Automated Biometric Identification System             N\n                        TSA               TSANet                                                N\n                        TSA               TSA Operating Platform                                N\n\n                  Additionally, only 4 of the 27 critical systems (15%) had contingency\n                  plans that had been tested fully. Specifically, 17 (63%) of these systems\n                  had only a limited contingency test, such as a table top exercise. Further,\n                  the contingency plans for 6 of these systems (22%) had not been tested in\n                  the last year. Without a full contingency plan test at an alternate\n\n5\n  See Appendix D, Critical DHS Systems Approved to Operate in FY 2006 and FY 2007.\n6\n  Federal Information Processing Standard Publication (FIPS Pub) 199, Standards for Security\nCategorization of Federal Information and Information Systems, provides guidance for categorizing\ninformation systems based on the three security objectives of confidentiality, integrity, and availability.\nThe security categories are low, moderate, and high. Additionally, National Institute of Standards and\nTechnology (NIST) Special Publication (SP) 800-53, Recommended Security Controls for Federal\nInformation Systems, provides guidance for controls based on the security objectives and categories.\n\n\n                     DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                                    Page 8\n\x0cprocessing site, DHS critical systems might not be able to recover in a\ntimely fashion after an outage.\n\nFurther, 15 of these 27 critical systems (56%) did not include the required\nbusiness impact analysis with the contingency plan. A business impact\nanalysis is used to determine contingency requirements such as maximum\nallowable outage times. For example, if the maximum allowable outage is\nfour hours, a recovery process would need to be designed to resume\nprocessing within four hours at an alternate site.\n\nAccording to DHS 4300A Handbook:\n\n   \xe2\x80\x9cWhen testing is required, IT Contingency Plans shall be \n\n   tested/exercised annually.\xe2\x80\x9d \n\n\nAdditionally, according to National Institute of Standards and\nTechnology (NIST) Special Publication (SP) 800-53, Recommended\nSecurity Controls for Federal Information Systems, when a system\xe2\x80\x99s\navailability security objective is categorized as high:\n\n   \xe2\x80\x9cThe organization includes a full recovery and reconstitution of the\n   information system as part of contingency plan testing.\xe2\x80\x9d\n\nAccording to NIST SP 800-34, Contingency Planning Guide for\nInformation Technology Systems:\n\n   \xe2\x80\x9cThe BIA [Business Impact Analysis] enables the Contingency\n   Planning Coordinator to fully characterize the system requirements,\n   processes, and interdependencies and use this information to determine\n   contingency requirements and priorities.\xe2\x80\x9d\n\nRecommendation\n       We recommend that the DHS CIO:\n\n       Recommendation 3: Ensure that business impact assessments are\n       performed, alternate processing sites are identified, and\n       contingency plans tested annually for critical DHS information\n       systems.\n\nManagement Comments and OIG Analysis\n       The DHS Acting CIO concurred with recommendation 3. This\n       recommendation will be considered resolved but open pending\n       verification of all planned actions.\n\n DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                               Page 9\n\x0cDHS\xe2\x80\x99 Guidance for Disaster Recovery Related Documentation\nNeeds Improvement\n     DHS addressed our previous recommendation to require that disaster\n     recovery-related documentation for mission critical systems be completed\n     and conform to current government standards. Specifically, the CIO\n     provided guidance to DHS components for the preparation of contingency\n     plans. This guidance, the DHS 4300A Handbook Attachment K, IT\n     Contingency Plan Template, details the information that is to be included\n     in contingency planning documentation. However, this template is\n     incomplete. Specifically, the template does not include the following\n     information:\n\n        \xef\xbf\xbd   Backup operations plan,\n        \xef\xbf\xbd   Written access controls policies and procedures, and\n        \xef\xbf\xbd   Preservation of audit information.\n\n     The addition of the above items to the template will help ensure DHS\n     components will be able to develop better plans for restoring systems. For\n     example, inclusion of documented access control policies and procedures\n     in the contingency plan reduces the risk of unauthorized disclosure,\n     modification, or destruction of the data residing in the restored systems.\n\n     Additionally, DHS contingency planning guidance does not conform fully\n     to government-wide standards. Specifically, according to NIST\n     SP 800-53, if an agency has a system with a high impact for availability, it\n     should have an alternate site. However, DHS has created an exception to\n     this requirement. Specifically, DHS components shall not categorize a\n     system as high impact for availability if it does not have an alternate site.\n     According to DHS 4300A Handbook:\n\n        \xe2\x80\x9cIf resources for establishing an alternate site are not available or\n        identified, then a system shall not be categorized as high impact for\n        availability.\xe2\x80\x9d\n\n     Contingency planning security controls are based on the potential impact\n     to organizations or individuals should there be a loss of system\n     availability. This potential impact to availability is categorized as low,\n     moderate or high. For example, according to NIST SP 800-60, Volume II:\n     Appendices to Guide for Mapping Types of Information and Information\n     Systems to Security Categories:\n\n        \xe2\x80\x9cThe consequences of disruption of access to information or\n        information systems associated with ensuring security of\n        transportation and infrastructure networks, facilities, vehicles, and\n\n      DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                   Page 10\n\x0c   personnel within the United States may be severe. Also, anti-terrorism\n   missions are not reliably tolerant of delays. The availability impact\n   level for information systems that ensure the security of transportation\n   and infrastructure networks, facilities, vehicles, and personnel within\n   the United States is high.\xe2\x80\x9d\n\nRecommendations\n       We recommend that the DHS CIO:\n\n       Recommendation 4: Update the contingency planning template\n       to include all required contingency planning information.\n\n       Recommendation 5: Revise the DHS 4300A Handbook to\n       comply with government-wide contingency planning guidance.\n\nManagement Comments and OIG Analysis\n       The DHS Acting CIO concurred with both recommendations.\n       These recommendations will be considered resolved but open\n       pending verification of all planned actions.\n\n\n\n\n DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                              Page 11\n\x0cDHS Needs to Reassess the Risks Associated with DC1 and DC2\n     The DHS risk assessments for DC1 and DC2 are out of date and\n     incomplete. Additionally, there are unmitigated threats and vulnerabilities\n     at DC1 and DC2 that may impact their ability to conduct normal\n     operations. DHS should re-assess the risks associated with operating these\n     data centers and establish sufficient controls to mitigate unacceptable\n     weaknesses.\n\n            Risk Assessment for DC1\n\n            DHS performed a risk assessment on DC1 in July 2006. However,\n            it was not updated when the telecommunications systems were\n            installed. Further, the risk assessment did not include specific\n            threats and vulnerabilities that might place DHS systems at risk.\n            These include:\n\n                 \xef\xbf\xbd   Being located within 2 miles of a rocket test facility,\n                 \xef\xbf\xbd   Being located in a former munitions assembly plant,\n                 \xef\xbf\xbd   Being located 20 miles from the Gulf Coast, and\n                 \xef\xbf\xbd   The clearance level of the facilities guards and contractors.\n\n            For example, the DC1 risk assessment did not quantify the risk\n            associated with a potential rocket engine test or explosion even\n            though DC1 is located within two miles of a rocket test facility.\n            See Figure 1. Specifically, the assessment did not state if the\n            facility would be accessible in the event of a catastrophic rocket\n            engine test failure. The assessment also did not include the risks\n            associated with acoustical vibrations associated with a normal\n            engine test even though the facility is within a 125,000-acre\n            acoustical buffer zone.\n\n            Additionally, the risk assessment did not address environmental\n            contamination. DC1 is in a facility that once was used to construct\n            howitzer shells. Risks associated with working in a former\n            munitions facility, such as lead contamination or unexploded\n            munitions, should be quantified to ensure the safety of staff and\n            their ability to operate the facility.\n\n\n\n\n      DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                   Page 12\n\x0c                           Figure 1: DC1 is within 2 miles of SSC rocket engine test\n                                                       facilities.\n\n\n             DC1\n\n\nComplex containing\nthe SSC Visitor\nCenter and the\nsingle point of failure\ntelecommunications\nbuilding\n\n\n\n\n                          Further, DC1 is located approximately 20 miles from the Gulf\n                          Coast, which is vulnerable to a hurricane\xe2\x80\x99s damaging winds and\n                          floods. However, the risk assessment did not recommend the\n                          development of action plans to prepare for potential impacts from\n                          hurricanes. These impacts could include the lack of access of\n                          operating personnel, flooding, and power failures.\n\n                          There are also unmitigated vulnerabilities at DC1. For example,\n                          the initial risk assessment identified the need for a perimeter fence\n                          around DC1. As of December 2008, DHS still had not funded\n                          installation of the fence. This perimeter fence will be especially\n                          important as StenniSphere, the official SSC Visitor Center, is less\n                          than a mile from DC1, and it is accessible by anyone with a valid\n                          driver\xe2\x80\x99s license or passport.\n\n\n\n\n                   DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                                Page 13\n\x0c      Risk and Physical Assessments for DC2\n\n      The risk assessment for DC2 was performed in April 2008, prior to\n      the final implementation of hardware and telecommunications\n      systems. Additionally, the DC2 physical security assessments did\n      not address the placement of two 25,000 gallon diesel fuel storage\n      tanks within several feet of the building. See Figure 2. The risk\n      assessment should disclose the risk of a storage tank fire either\n      damaging the walls of the facility or restricting safe exit from the\n      building.\n\n      Figure 2: Diesel fuel tanks and backup generators adjacent to DC2.\n\n\n\n\n      Further, the risk assessment reported that the water-based fire\n      suppression system was considered adequate by the DC2 facility\n      contractor. However, the risk assessment did not cite the potential\n      for damage to equipment from the use of a water-based fire\n      suppression system instead of a clean agent fire extinguishing\n      system, such as the fire suppression system at DC1. For example,\n      the water-based sprinklers are located in both the raised floor\n      computer room and also in the Uninterruptible Power Supply\n      battery room. Accidental discharge of the sprinklers could damage\n      hardware or short out backup batteries.\n\n      There are also unmitigated vulnerabilities at DC2. For example, a\n      physical assessment and site survey of DC2 cited the risks\n      associated with maintaining only one guard onsite, rather than the\n      recommended minimum of two onsite guards at all times.\n\n\n\nDHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                             Page 14\n\x0c       Additionally, a survey for storing sensitive data at DC2 reported\n       that the guards had inadequate clearances for this type of facility.\n\n       According to DHS Sensitive Systems Policy Directive 4300A:\n\n                \xe2\x80\x9cComponents shall conduct and document risk assessments\n                every three years, when high impact weaknesses are\n                identified, or whenever significant changes to the system\n                configuration or to the operational/threat environment have\n                been made, whichever occurs first.\xe2\x80\x9d\n\nRecommendations\n       We recommend that the DHS CIO:\n\n       Recommendation 6: Re-perform risk assessments at DC1 and\n       DC2 and continue to do so whenever there has been a significant\n       change to the system configuration or the operating environment.\n\n       Recommendation 7: Prepare the necessary plans of actions and\n       milestones to mitigate known threats and vulnerabilities associated\n       with DC1 and DC2.\n\nManagement Comments and OIG Analysis\n\n       The DHS Acting CIO concurred with both recommendations.\n       These recommendations will be considered resolved but open\n       pending verification of all planned actions.\n\n\n\n\n DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                              Page 15\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\nPurpose, Scope, and Methodology \n\n                    This is the first in a series of reports on DHS disaster recovery\n                    planning. Specifically, this audit is a follow-up of our report\n                    Disaster Recovery Planning for DHS Information Systems Needs\n                    Improvement (OIG-05-22). Each report will address the three\n                    recommendations made in the original audit, but will focus on\n                    specific DHS components. This report focuses on DHS\xe2\x80\x99\n                    Management Directorate and its two new data centers.\n\n                    The overall objective of this audit was to evaluate the progress\n                    DHS has made in the acquisition and management of disaster\n                    recovery alternate sites for the general support systems comprising\n                    its network backbone. We reviewed DHS policies and procedures,\n                    communications diagrams, facility surveys, prior audit reports,\n                    contingency planning documentation, and wiring diagrams.\n                    Auditors performed on-site inspections and interviewed key\n                    personnel.\n\n                    Our fieldwork was conducted at DHS Management Directorate\n                    facilities and organizational elements in the Washington, DC\n                    metropolitan area, Stennis Space Center, Mississippi, and\n                    Clarksville, Virginia. We conducted this audit between June 2008\n                    and December 2008.\n\n                    We provided DHS staff with briefings and presentations\n                    concerning the results of fieldwork and the information\n                    summarized in this report. We conducted this performance audit\n                    in accordance with generally accepted government auditing\n                    standards. Those standards require that we plan and perform the\n                    audit to obtain sufficient, appropriate evidence to provide a\n                    reasonable basis for our findings and conclusions based on our\n                    audit objectives. We believe that the evidence obtained provides a\n                    reasonable basis for our findings and conclusions based on our\n                    audit objectives.\n\n\n\n\n              DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                           Page 16\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n\n                    We appreciate the efforts by DHS management and staff to provide\n                    the information and access necessary to accomplish this audit. The\n                    principal Office of Inspector General (OIG) points of contact for\n                    the audit are Frank Deffer, Assistant Inspector General for\n                    Information Technology Audits (202) 254-4100 and Sharon\n                    Huiswoud, Director, Information Systems (202) 254-5451. Major\n                    OIG contributors to the audit are identified in Appendix E.\n\n\n\n\n              DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems\n\n                                           Page 17\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems \n\n\n                                          Page 18\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems \n\n\n                                          Page 19\n\n\x0cAppendix C\nDHS Data Centers Migration Schedule to DC1 and DC2\n\n\n\n\n                      Components\xe2\x80\x99 Data Center                     Migrated to/Plan        Completion\n                                                                   to Migrate to           Schedule\n                                                                   DC1       DC2\n        CBP\n        National Data Center (Springfield, VA)                                 \xef\xbf\xbd        Q4 of FY 2010\n        Disaster Recovery Facility (Undisclosed)                    \xef\xbf\xbd                   Q2 of FY 2008\n        ACE (Tyson\xe2\x80\x99s Corner, VA)                                    \xef\xbf\xbd                   Q3 of FY 2009\n        DHS Management Directorate\n        DHS/CIO (Bluemont, VA)                                      \xef\xbf\xbd                   Q2 of FY 2010\n        DHS Ashburn Data Center (Ashburn, VA)                       \xef\xbf\xbd                   Q2 of FY 2008\n        DHS HSDN Fair Lakes (Fairfax, VA)                                      \xef\xbf\xbd        Q4 of FY 2008\n        DHS Stafford Data Center (Garrisonville, VA)                \xef\xbf\xbd                   Q4 of FY 2007\n        ICE\n        ICE \xe2\x80\x93 (Rockville, MD)                                                  \xef\xbf\xbd        Q4 of FY 2008\n        ICE \xe2\x80\x93 (Dallas, TX)                                                     \xef\xbf\xbd        Q4 of FY 2008\n        United Sates Citizenship and Immigration Services\n        (USCIS)\n        USCIS \xe2\x80\x93 DOJ (Rockville, MD)                                            \xef\xbf\xbd        Q1 of FY 2010\n        USCIS \xe2\x80\x93 DOJ (Dallas, TX)                                               \xef\xbf\xbd        Q1 of FY 2010\n        USCIS \xe2\x80\x93 Verizon (Manassas, VA)                                         \xef\xbf\xbd        Q2 of FY 2010\n        US-VISIT\n        US-VISIT (Rockville, MD)                                               \xef\xbf\xbd        Q2 of FY 2011\n        US-VISIT (Dallas, TX)                                                  \xef\xbf\xbd        Q4 of FY 2009\n        FEMA\n        Information Technology Services Center (Bluemont, VA)                  \xef\xbf\xbd        Q4 of FY 2009\n        FEMA (Denton, TX)                                           \xef\xbf\xbd                   Q2 of FY 2010\n        TSA\n        IBM St. Louis Hosting Center (Hazelwood, MO)                           \xef\xbf\xbd        Q4 of FY 2008\n        TSA Headquarters (Arlington, VA)                                       \xef\xbf\xbd        Q1 of FY 2009\n        Annapolis Junction Data Center (Annapolis, MD)              \xef\xbf\xbd                   Q2 of FY 2010\n        Colorado Springs Data Center (Colorado Springs, Co)         \xef\xbf\xbd                   Q2 of FY 2010\n        Atlantic City Data Center (Atlantic City, NJ)               \xef\xbf\xbd                   Q2 of FY 2011\n        USCG\n        Aircraft Repair and Supply Center (Elizabeth City, NJ)                 \xef\xbf\xbd        Q4 of FY 2010\n        Coast Guard Finance Center (Chesapeake, VA)                            \xef\xbf\xbd        Q4 of FY 2010\n        OIT Data Center (Kearneysville, WV \xe2\x80\x93 Continuity             \xef\xbf\xbd                   Q3 of FY 2009\n        Solution)\n        USSS\n        USSS (H Street, Washington, DC)                             \xef\xbf\xbd                   Q3 of FY 2010\n        USSS (Undisclosed)                                                     \xef\xbf\xbd        Q1 of FY 2011\n\n\n\n\n                DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems \n\n\n                                               Page 20\n\n\x0cAppendix D\nCritical DHS Systems Approved to Operate in FY 2006 and FY 2007\n\n\n                                                                     Full                           Business\n     DHS                   System Name              Alternate     Contingency      Contingency      Impact\n   Component                                        Site (Y/N)       Test           Test Type       Analysis\n                                                                    (Y/N)                            (Y/N)\n   Management      DHS Interactive                         N           N             Tabletop          N\n   Directorate\n   Management      Sunflower Asset Management              N            N            Tabletop           N\n   Directorate     System\n   Management      DHS Online                              N            N            Tabletop           Y\n   Directorate\n   Management      Stennis Data Center LAN                 N            N            Tabletop           N\n   Directorate\n   CBP             Automated Export System                 Y           N             Tabletop           Y\n   CBP             NDC Mainframe System                    Y           N             Tabletop           Y\n   CBP             Traveler Enforcement                    Y           N             Tabletop           N\n                   Compliance System\n   CBP             DHS OneNetwork                          Y           N             Tabletop           N\n   CBP             Automated Targeting System              Y           N             Tabletop           Y\n   USCG            CGDN Plus Tier 1                        Y           N          Three subject         N\n   USCG            Fleet Logistics System                  Y           Y           Scripted Test        Y\n   USCG            Naval and Electronics Supply            Y           Y           Scripted Test        Y\n                   Support System\n   USCG            Shipboard Command and                   N           N              Onsite            Y\n                   Control System                                                 Hardware Fix\n   USCG            Automated Mutual Assistance             Y           N          No test in one        Y\n                   Vessel Rescue System                                                 year\n   USCG            Maritime Awareness Global               Y           N          No test in one        N\n                   Network                                                              year\n   USCG            Marine Information for                  Y           Y           Scripted Test        Y\n                   Safety and Law Enforcement\n   USCG            SBU-LAN \xe2\x80\x93 Operations                    Y           Y          Full scale test       Y\n                   Service Center\n   ICE             Password Issuance and                   Y           N             Tabletop           N\n                   Control System\n   ICE             Security Activities Reporting           Y           N             Tabletop           N\n                   System\n   ICE             Student and Exchange Visitor            Y           N             Tabletop           N\n                   Information System\n   FEMA            DHS Texas - GSS                         Y           N             Tabletop           N\n   FEMA            Agile Systems Development               Y           N             Tabletop           N\n   US-VISIT        Automated Biometric                     N           N          No test in one        N\n                   Identification System                                               year.\n   TSA             TSANet                                  N           N             Tabletop           Y\n   TSA             TSA Operating Platform                  N           N             Tabletop           Y\n   TSA             TSIS Remote Access to                   Y           N             Tabletop           N\n                   Classified Enclaves\n   TSA             Central Information                     Y           N             Failover           N\n                   Distribution System\n   Note:\t These critical systems had security categorizations of \xe2\x80\x9chigh\xe2\x80\x9d in each of the three security\n           objectives of confidentiality, integrity, and availability.\n\n\n                  DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems \n\n\n                                                Page 21\n\n\x0cAppendix E\nMajor Contributors to this Report\n\n\n\n                    Sharon Huiswoud, Director, Department of Homeland Security,\n                    Information Technology Audits\n\n                    Kevin Burke, Audit Manager, Department of Homeland Security,\n                    Information Technology Audits\n\n                    Domingo Alvarez, Senior Auditor, Department of Homeland\n                    Security, Information Technology Audits\n\n                    Matthew Worner, Program Analyst, Department of Homeland\n                    Security, Information Technology Audits\n\n                    Maria Rodriguez, Referencer\n\n\n\n\n              DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems \n\n\n                                           Page 22\n\n\x0cAppendix F\nReport Distribution\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff for Operations\n                      Chief of Staff for Policy\n                      Acting General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Under Secretary, Management\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Public Affairs\n                      Assistant Secretary for Legislative Affairs\n                      Chief Information Officer (CIO), DHS\n                      Chief Privacy Officer\n                      Deputy CIO, DHS\n                      Chief Information Security Officer, DHS\n                      DHS CIO Audit Liaison\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n              DHS\xe2\x80\x99 Progress in Disaster Recovery Planning for Information Systems \n\n\n                                           Page 23\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"